WASHINGTON – U.S. Sen. Amy Klobuchar wants to require Facebook to disclose data breaches to affected users within three days, one of a series of regulations she plans to propose for the social media giant in the wake of recent controversy over its privacy controls.

The measure came out of “realizing [Facebook] really didn’t have a way for the users to protect themselves,” Klobuchar, D-Minn., said in an interview. She is teaming with Sen. John Kennedy, R-La., on legislation they hope to introduce soon.

Facebook CEO Mark Zuckerberg recently testified on Capitol Hill in response to outrage that the company failed to let users know about Russian-linked Cambridge Analytica’s harvesting of the personal information of 87 million Facebook users. Asked why he hadn’t disclosed the data breach, Zuckerberg told lawmakers that the company took down the app from which Cambridge Analytica had bought data and demanded the parties involved stop using any data they requested.

Facebook “considered it a closed case — in retrospect, it was clearly a mistake,” Zuckerberg told the Senate Judiciary Committee, on which Klobuchar sits.

“That’s just not good enough,” Klobuchar told the Star Tribune. “That’s why we want to put this into law that within 72 hours you have to disclose, otherwise you have the sites doing this all the time.”

At the hearing, Zuckerberg told Klobuchar that the proposal made sense to him. The European Union’s General Data Protection Regulation already enforces a 72-hour disclosure rule.

Glen Stubbe, Star Tribune

Sen. Amy Klobuchar, shown in March, plans to propose a series of regulations for Facebook in the wake of recent controversy over its privacy controls.

With the U.S. midterm election 6½ months away, social media platforms are under pressure to ensure that consumers’ personal data aren’t harvested for political gain — and Congress has limited time to act. A spokesperson for Kennedy’s office said he and Klobuchar “are working together to ramp up support on both sides of the aisle.”

The proposal would give social media users the right to disable data tracking and collection, allow users to see what information of theirs has already been gathered and shared, and require that sites have a privacy program. It would also require that terms of service agreements be written in plain language that consumers can easily understand, with a link to the longer legal document.

A Facebook spokesperson issued a brief statement in response to the proposal: “We look forward to reviewing the details of the legislation.”

In questioning Zuckerberg last week, Kennedy predicted “a whole bunch of bills introduced to regulate Facebook. It’s up to you whether they pass or not. You can go back home, spend $10 million on lobbyists and fight us, or you can go back home and help us solve this problem.”

Klobuchar said she views the proposal as a “consumer social media bill of rights,” adding that she intends the proposal to apply widely to social media companies, not just Facebook. “I don’t think it’s going to stifle information at all — I think it’s going to protect consumers’ privacy, and that’s why Mark Zuckerberg was acknowledging that we need privacy rules for the whole industry.”

Details of the bill remain to be worked out. But several experts pointed out that the issues raised during Zuckerberg’s testimony can be hard to legislate.

Betsy Sigman, a Georgetown University business professor who studies e-commerce and social media, questioned who would make the rules stick. She noted that disclosing a data breach within three days usually isn’t easy, given that they often aren’t discovered for months. Nor is it always easy to put in place service agreements without complex legalese, she added.

“We saw how up to date on the internet and its workings Congress is during the hearings,” Sigman said. “Do we really want them to be running gung-ho into regulation-making right now?”

Abhishek Nagaraj, a business professor at the University of California, Berkeley, said it’s hard to define what encompasses personal data on social media platforms — beyond the obvious categories of, say, age and address — when internet companies track every click.

“There’s some information that we all agree is personal, but there will be a bunch of gray zones and defining that will be interesting,” Nagaraj said. He predicted that stronger limits on access to personal information could make some social media advertising methods less effective, pushing social media companies to look for other ways of raising revenue.

Nagaraj suggested that federal lawmakers seek expert help as they approach social media regulation.

“My sense is I think Congress should play a role, but they should … try to get in people who really understand these issues and help in crafting the legislation,” he said.